How to Encrypt with a Malicious Random Number Generator Seny Kamara1? and Jonathan Katz2?? 1
Johns Hopkins University
[email protected] 2 University of Maryland
[email protected]
Abstract. Chosen-plaintext attacks on private-key encryption schemes are currently modeled by giving an adversary access to an oracle that encrypts a given message m using random coins that are generated uniformly at random and independently of anything else. This leaves open the possibility of attacks in case the random coins are poorly generated (e.g., using a faulty random number generator), or are under partial adversarial control (e.g., when encryption is done by lightweight devices that may be captured and tampered with). We introduce new notions of security modeling such attacks, propose two concrete schemes meeting our definitions, and show generic transformations for achieving security in this context. Key words: Private-key encryption, random number generation
1
Introduction
Security against chosen-plaintext attacks (CPA-security) [10, 2, 12] is, nowadays, considered a minimal notion of security that any private-key encryption scheme deployed in practice should satisfy. (We defer for now any discussion of security against chosen-ciphertext attacks, though we will consider such attacks later.) Very roughly speaking, CPA-security means that given a challenge ciphertext generated using an unknown key K, a computationally-bounded adversary cannot recover any partial information about the underlying plaintext even if it is given access to an encryption oracle that returns an encryption (using the same key K) of any message m provided by the adversary. This “encryption oracle” is meant, in part, to model potential real-world actions of an adversary that might influence the honest sender (holding the key K) to encrypt certain messages that are (partially or entirely) under the adversary’s control. It is not hard to see that any scheme secure with respect to chosen-plaintext attacks must be probabilistic. Furthermore, it is by now well-understood how to construct CPA-secure schemes under the assumption that the sender is able ? ??
Supported in part by the Phillips and Camille Bradford Fellowship. Research supported in part by the U.S. Army Research Laboratory.
to generate a fresh set of uniformly random coins each time a message is encrypted. In practice, such coins might be generated by using a combination of randomness extractors and pseudorandom number generators (PRNGs) to distill pseudorandom coins from a high-entropy source available to the sender. The above, however, neglects the possibility that the random coins used to encrypt may sometimes be “less than perfect”. For example, the sender may be using a faulty PRNG that produces biased or partially predictable outputs. Or, the random source used to seed the PRNG may have less entropy than originally thought. More malicious scenarios include the possibilities that an adversary may have tampered with the PRNG used by the sender, or may be able to effect some control over the random source used to seed the PRNG. In the most extreme case, the adversary may have physical access to the device performing the encryption (as might be the case if, e.g., encryption is carried out on a lightweight device captured by the adversary), and may then have complete control over the “random coins” that will actually be used to encrypt. We refer to such attacks as chosen-randomness attacks. In this work, we introduce new definitions of security that offer protection against the attacks just described. Our definitions assume the worst possible case: that the randomness used by the encryption oracle is under the complete control of the adversary. In fact, the only random coins that are not under the adversary’s control (other than those used to generate the key) are those that are used to encrypt the challenge ciphertext; we assume those coins are truly random.1 Our definition, then, can be viewed (informally) as offering semantic security for any messages that are encrypted using “good” random coins, even if the adversary is able to “probe” the system repeatedly and thereby cause the sender to use “poor” random coins when encrypting other messages. Summary of our contributions. We formally define security against chosenrandomness attacks (CRA-security), both with and without the additional presence of a decryption oracle. We then show two secure constructions that can be based on any block cipher. The first is a relatively simple fixed-length construction, while the second is a scheme that can encrypt arbitrary-length messages. We also show a generic transformation converting any CPA-secure scheme into a CRA-secure scheme. Finally, we propose a simple way to extend any CRA-secure scheme so as to also achieve security against chosen-ciphertext attacks. 1.1
Related Work
The most relevant prior work is perhaps Rogaway’s notion of nonce-based privatekey encryption [15], which treats the encryption algorithm as a deterministic 1
It is not hard to see that some assumption regarding those coins is necessary in our setting (if the adversary has complete control over all coins, then the scheme degenerates to a deterministic one that cannot be secure); our assumption that the coins used to generate the challenge ciphertext are truly random is made for simplicity, and can be relaxed by using randomness extractors and assuming only access to a high-entropy source when encrypting the challenge ciphertext.
function of the message and a user-provided nonce. (With respect to this viewpoint, it is the responsibility of the user — not the encryption algorithm — to ensure, e.g., that nonces are chosen at random.) In this context, Rogaway defines a notion of security that, roughly speaking, guarantees semantic security as long as nonces never repeat. While this definition is somewhat similar to our own, we show in Section 3.1 that the notion considered by Rogaway is incomparable to the notion of CRA-security considered here; i.e., there are schemes satisfying his definition and not ours, and vice versa. We remark further that the motivations for our work and Rogaway’s work are very different: as argued by Rogaway [15], nonce-based security is best understood as a usability requirement, whereas we are interested in examining a stronger attack model (within the conventional framework for encryption). Adversarial manipulation of a PRNG was mentioned as motivation for our work. While there has been prior work developing “forward-” and “backwardsecure” pseudorandom number generators [4, 1, 8], simply composing such generators with a standard CPA- or CCA-secure encryption scheme does not defend against the attacks considered here. The reason is that these prior works consider only adversaries that learn the internal state of the PRNG, whereas our notions consider stronger adversaries that may control the state of the PRNG. One can therefore view our notion of CRA-security as achieving a strong variant of backward- and forward-security with respect to the underlying source of randomness. In other words, our definitions guarantee that a plaintext encrypted using high-quality randomness is protected even against adversaries that can control the source after the present plaintext is encrypted (i.e., strong forwardsecurity), or that have controlled it in the past (i.e., strong backward-security). Work of McInnes and Pinkas [13] and Dodis et al. [7, 5] has also considered the security of encryption when truly random coins are not available to the sender. Although these works are superficially related to our own, the problems being considered — as well as the motivation — are very different. The work of [13, 7, 5] is unwilling to assume any truly random coins, even during generation of the secret key, and is interested in exploring what can be achieved in such an extreme setting. For this reason, they are primarily concerned with informationtheoretic security (although later work [6, 5] treats computational security) and do not consider security against chosen-plaintext attacks at all. In this work, in contrast, we are willing to assume that truly random coins exist (e.g., during key generation and, at least once, when encrypting), but are concerned that the adversary may periodically be able to tamper with the honest user’s ability to generate true random coins. We are then interested in the question of whether the analogue of CPA-security is achievable.
2
Notation and Preliminaries
We use standard cryptographic notation and terminology. We use ha, bi or akb interchangeably for the concatenation of strings a and b. We let Func[n, m] denote the set of all functions from {0, 1}n to {0, 1}m , and let Perm[n, n] denote the set
of all permutations over {0, 1}n . A function f : N → N is negligible in k, if for every polynomial p and sufficiently large k, f (k) < 1/p(k). We write negl(k) and poly(k) to refer to unspecified negligible and polynomial functions in k. If O is a probabilistic algorithm, then O(x) denotes an execution of O on input x with uniformly chosen random coins, and O(x; r) denotes an execution of O on input x with random coins r. Given a probabilistic algorithm O, we will consider adversaries A given access to an oracle that on input hx, ri returns O(x; r) (this is different from the usual case where A is given access to an oracle that on input x returns O(x; r) for uniformly chosen random coins r). 2.1
Cryptographic Tools
We use standard cryptographic tools which are reviewed here to fix notation. Pseudo-random functions. Let F be an efficiently-computable keyed function, where for a fixed key K of length k we have FK : {0, 1}`in (k) → {0, 1}`out (k) with `in , `out polynomial in k. We say F is a pseudorandom function (PRF) if, informally, the function FK (for a random key K ∈ {0, 1}k ) is indistinguishable from a function f chosen uniformly at random from Func[`in (k), `out (k)]. If F is a PRF and FK is an efficiently-invertible permutation for each choice of K, then we call F a pseudorandom permutation (PRP). We refer to [11] for the formal definitions, which are standard. Encryption. A private-key encryption scheme SKE = (Gen, Enc, Dec) consists of three polynomial-time algorithms with the following functionality: – Gen takes as input a security parameter 1k and returns a key K. – Enc is a probabilistic algorithm that takes as input the key K and a message m from some associated message space. It returns a ciphertext c, and we denote this by c ← EncK (m). – Dec takes as input the key K and a ciphertext c; it returns either a message m in the message space or a special failure symbol ⊥. We write this as m := DecK (c), and assume without loss of generality that Dec is deterministic. We assume perfect correctness: for all k ∈ N, all K output by Gen(1k ), and all messages m in the message space, DecK (EncK (m)) = m. In most schemes, Gen(1k ) simply outputs a random key of length k; when this is the case, we write SKE = (Enc, Dec). We use the standard notions of security against chosen-plaintext attacks (CPA-security) and security against (adaptive) chosen-ciphertext attacks (CCAsecurity); see, e.g., [11]. Message authentication codes (MACs). A message authentication code MAC = (Mac, Vrfy) is a pair of polynomial-time algorithms. Mac takes as input a key K ∈ {0, 1}k and a message m ∈ {0, 1}∗ and outputs a tag t; we assume2 that Mac is deterministic and denote this by t := MacK (m). The deterministic verification algorithm Vrfy takes as input a key K ∈ {0, 1}k , a message 2
This is without loss of generality, and anyway holds for many common constructions.
m ∈ {0, 1}∗ , and a tag t; it outputs a bit b := VrfyK (m, t) where a ‘1’ indicates acceptance and a ‘0’ indicates rejection. We assume that for all k ∈ N, all K ∈ {0, 1}k , and all m ∈ {0, 1}∗ it holds that VrfyK (m, MacK (m)) = 1. Note that we assume trivial key generation, where on security parameter 1k the key is chosen uniformly from {0, 1}k . We also assume MACs for arbitrarylength messages. (Neither assumption is essential, but making these assumptions simplifies the presentation.) We use the standard definition of existential unforgeability under an adaptive chosen message attack; see [11]. A MAC has unique tags if for all k ∈ N, all K ∈ {0, 1}k , and all m ∈ {0, 1}∗ , there is a unique t such that VrfyK (m, t) = 1.
3
Definitions
We now present our definitions of CRA and CCRA-security. Intuitively, CRAsecurity guarantees that, given a ciphertext, no polynomially-bounded adversary can recover any partial information about the plaintext even if it has access to an encryption oracle and complete control over its source of randomness. Definition 1 (CRA-security). Let SKE = (Gen, Enc, Dec) be a private-key encryption scheme. SKE is CRA-secure if the advantage of any polynomial-time adversary A in the following experiment is negligible (in k): 1. First, a key K ← Gen(1k ) is generated. 2. A is allowed to interact with an oracle EncK (· ; ·). We stress that, here, A submits pairs hm, ri and, in return, is given EncK (m; r). (Since A can choose r uniformly at random, this is at least as strong as a chosen-plaintext attack.) 3. A outputs two equal-length messages m0 , m1 . A bit b is chosen at random, and a “challenge ciphertext” c ← EncK (mb ) is computed and given to A. We stress that encryption here uses uniform coins that are not known to A. 4. A may continue to interact with its oracle as before. Eventually, it outputs a bit b0 ; the experiment evaluates to 1 if b0 = b. We denote the above experiment by CRAA,SKE (k), and define the advantage of A in the experiment as Pr[CRAA,SKE (k) = 1] − 21 . The stronger notion of CCRA-security guarantees that, given a ciphertext, no polynomially-bounded adversary can recover any partial information about the plaintext, even if it has access to both an encryption and a decryption oracle and complete control over the encryption oracle’s source of randomness. This is defined in the natural way, and we denote the experiment in this case by CCRAA,SKE (k). We remark that since Dec is deterministic, there is no analogue of the adversary’s being able to “control the randomness” used during decryption. 3.1
Comparison to Previous Definitions
In this section we compare our new definitions to previous security notions for private-key encryption, including CPA- and CCA-security, and the more closely related notions of nonce-based CPA and CCA-security from [15].
Theorem 1. CRA-security is strictly stronger than CPA-security. Proof. It is easy to see that CRA-security implies CPA-security. We show that the converse is not true. Let F be a pseudorandom function, and consider the standard CPA-secure private-key encryption scheme with encryption given by EncK (m; r) = hr, FK (r) ⊕ mi. We claim that this scheme is not CRA-secure. To see this, note that an adversary given a challenge ciphertext hr, ci can submit h0k , ri to its oracle and will receive in return the ciphertext EncK (0k ; r) = hr, FK (r)i. It is then trivial for the adversary to determine the message that was encrypted. Theorem 2. CCRA-security is strictly stronger than CCA-security. A proof is very similar to the proof of the previous theorem, and is omitted. Nonce-based encryption [15] is a formalization of private-key encryption where the encryption algorithm is a deterministic function of a message and a nonce, and the user (or, more generally, the program calling the encryption algorithm as a sub-routine) is responsible for providing the nonce. E.g., in the case of CBC-mode encryption the IV would be an additional input provided to the encryption algorithm as opposed to being generated “internally”. This formulation gives more flexibility with respect to how the nonce is chosen: by assuming the nonce is chosen uniformly each time the encryption algorithm is called, the standard notion of probabilistic encryption is recovered, but another option is to assume only that nonces never repeat (but are not necessarily random). Rogaway [15] considers definitions of security for nonce-based schemes in which the adversary is given some control over the nonce that is used to encrypt at all times, i.e., both when interacting with an encryption oracle as well as when the challenge ciphertext is computed. (A definition of nonce-based CPA-security is given in Appendix A.) Intuitively, these definitions are incomparable to our own because: – On one hand, we assume the adversary has no control over the randomness used to encrypt the challenge ciphertext, whereas Rogaway allows the adversary to have some control over the randomness even in this case. – On the other hand, we give the adversary full control over the randomness used by the encryption oracle, whereas Rogaway restricts the adversary to never using the same nonce twice. We formally prove that the notions are incomparable now. Theorem 3. Nonce-based CPA-security and CRA-security are incomparable. The theorem is a consequence of the following two lemmas. In proving them, we rely on the definition of nonce-based security given in Appendix A; the definition is weaker than that given in [15], but the difference is inessential and unimportant for the present discussion.
Lemma 1. Assuming the existence of one-way functions, there is a private-key encryption scheme that is nonce-based CPA-secure but that is not CRA-secure. Proof. We take the standard encryption scheme used in the proof of Theorem 1. Recall, F is a pseudorandom function, which may be constructed from any oneway function. Encryption is given by EncK (m; r) = hr, FK (r) ⊕ mi, where we treat r as a nonce, and decryption is given by DecK (hr, ci) = FK (r) ⊕ c. We have already shown in the proof of Theorem 1 that this scheme is not CRA-secure. On the other hand, it is not hard to see that it is nonce-based CPAsecure: since the adversary is not allowed to use the same nonce twice, it holds in particular that the nonce r used when encrypting the challenge ciphertext is distinct from any nonce used in answering any queries to the encryption oracle. It then follows easily from the pseudorandomness of F that the scheme is noncebased CPA-secure. Lemma 2. Assuming the existence of a private-key encryption scheme that is CRA-secure, there is a CRA-secure scheme that is not nonce-based CPA-secure. Proof. Let SKE = (Enc, Dec) be a CRA-secure private-key encryption scheme. Assume without loss of generality that, on security parameter k, the encryption algorithm uses k bits of randomness. (We will again treat the random coins used by Enc as a nonce.) Define a modified encryption scheme SKE0 = (Enc0 , Dec) (decryption remains unchanged) as follows: Enc0K (m; rkb) = EncK (m; r), where b is a bit and r ∈ {0, 1}k . It is easy to see that SKE0 is not nonce-based CPA secure: an adversary can simply request to have the challenge ciphertext encrypted using the nonce rk0 and then query its encryption oracle using the (distinct) nonce rk1. (Further details omitted.) It is similarly easy to see that SKE0 remains CRA-secure: oracle queries with respect to the modified scheme SKE0 are no more powerful than oracle queries with respect to the original scheme SKE; when the challenge ciphertext is encrypted, it will be encrypted using algorithm Enc with uniform random coins. In the sections that follow, we will show constructions of CRA-secure encryption schemes that may be based on any one-way function. Using ideas as above, we can similarly show that the notions of CCRAsecurity and nonce-based CCA-security are incomparable.
4
Achieving CRA-Security
In this section we propose two CRA-secure private-key encryption schemes based on PRPs; our first construction handles fixed-length messages only, while our second construction handles messages of variable length. We then show a general transformation from any CPA-secure scheme to a CRA-secure one.
4.1
A Fixed-Length CRA-Secure Construction
Our first construction is a modification of the standard CPA-secure encryption scheme that we have seen before in the proof of Theorem 1. Let P be a pseudorandom permutation on k-bit strings, and let F be a pseudorandom function mapping k-bit inputs to k-bit outputs. Our scheme is defined as follows: Gen(1k ): Choose K1 , K2 ← {0, 1}k and output K = hK1 , K2 i. EncK (m; r): Compute c2 = FK2 (r) ⊕ m, then output the ciphertext hPK1 (r), c2 i. −1 DecK (hc1 , c2 i): Compute r = PK (c1 ). Then output m := FK2 (r) ⊕ c2 as the 1 message.
Theorem 4. If P is a pseudorandom permutation and F is a pseudorandom function, then the scheme described above is CRA-secure. g = (Gen, g Enc, g Dec) g in which Gen g Proof. Consider the (imaginary) scheme SKE g samples p ← Perm[k, k] and f ← Func[k, k] uniformly at random, and Enc(m; r) outputs the ciphertext hp(r), f (r) ⊕ mi. We analyze the security of this scheme in an information-theoretic sense; CRA-security of the scheme described above (for polynomial-time adversaries) then follows easily. Let A be an adversary making at most q(k) queries to its oracle in experiment CRAA,SKE g (k). Let r be the randomness used to generate the challenge ciphertext in this experiment, and let query be the event that one of A’s oracle queries uses randomness r. Then: h i Pr CRAA,SKE (k) = 1 = Pr [ b0 = b ] g = Pr [ b0 = b ∧ query ] + Pr [ b0 = b ∧ query ] from which it follows that h i 0 (k) = 1 − Pr [ b = b | query ] Pr CRAA,SKE ≤ Pr [ query ]. g The following two claims complete the proof of the theorem. Claim. Pr [ query ] ≤ q(k)/2k . This follows from the fact that, after observing the challenge ciphertext and making q 0 queries to its oracle that do not use randomness r, all A knows is that r is not equal to any of the random coins used in its queries thus far. Claim. Pr[b0 = b | query] = 1/2. Let m0 , m1 denote the messages output by A, and let hc1 , c2 i be the challenge ciphertext. If query does not occur, then f (r) is equally likely to be c2 ⊕ m0 or c2 ⊕ m1 (just as in the one-time pad), and thus A can do no better than guess.
4.2
A CRA-Secure Construction for Variable-Length Messages
Our second construction applies a similar modification as in the previous section, but to CTR-mode encryption. Let P be a pseudorandom permutation and F a pseudorandom function, as in the previous section. Gen(1k ): Choose K1 , K2 ← {0, 1}k and output K = hK1 , K2 i. EncK (m; r): Parse m into ` blocks m = hm1 , . . . , m` i, each of length k. For 1 ≤ i ≤ `, compute ci = FK2 (r+i)⊕mi . (Here, we are viewing r as a k-bit integer and addition is done modulo 2k ). Output the ciphertext c = hPK1 (r), c1 , . . . , c` i. −1 DecK (hc0 , c1 , . . . , c` i): Compute r = PK (c0 ). For 1 ≤ i ≤ `, compute mi = 1 FK2 (r + i) ⊕ ci . Output m = hm1 , . . . , m` i.
Theorem 5. If P is a pseudorandom permutation and F is a pseudorandom function then the scheme described above is CRA-secure. g Enc, g Dec) g such that Gen g Proof. Consider the private-key encryption scheme (Gen, g is samples p ← Func[k, k] and f ← Func[k, k] uniformly at random, and then Enc define in the natural way based on the scheme described above. We analyze the security of this scheme in an information-theoretic sense; security of the scheme described above (for polynomial-time adversaries) then follows easily. Let A be an adversary making at most q = q(k) queries to its oracle in experiment CRAA,SKE g (k), where the messages in these queries have block-length at most ` = q(k). We also let q(k) be a bound on the block-length of the messages m0 , m1 output by A. Let r be the randomness used to generate the challenge ciphertext in this experiment, and let query be the event that one of A’s oracle queries uses randomness r0 ∈ {r − q + 1, . . . , r + q − 1}. Then: h i 0 Pr CRAA,SKE g (k) = 1 = Pr [ b = b ] = Pr [ b0 = b ∧ query ] + Pr [ b0 = b ∧ query ] from which it follows that h i 0 Pr CRAA,SKE g (k) = 1 − Pr [ b = b | query ] ≤ Pr [ query ]. The following two claims complete the proof of the theorem. Claim. Pr [ query ] ≤ O(q(k)2 /2k ). Intuitively, the value r used to encrypt the challenge ciphertext is “hidden” from A. Thus, assuming query has not yet occurred, a query made by A to its encryption oracle can cause query to occur with probability at most 2q − 1 (r + q − 1) − (r − q + 1) + 1 = . k 2 2k Applying a union bound to the q queries of A gives the stated result. Claim. Pr[b0 = b | query] = 1/2. This follows by analogy to the one-time pad; conditioned on query not occurring, FK2 (r + 1), . . . , FK2 (r + q) are uniformly distributed from A’s point of view.
4.3
A CPA-to-CRA Transformation
Finally, we present a transformation that turns any CPA-secure private-key encryption scheme into a CRA-secure scheme. The transformation assumes the existence of pseudorandom functions for arbitrary-length inputs; these may be constructed based on any one-way function, whose existence is implied by the existence of a CPA-secure encryption scheme. Let SKE0 = (Gen0 , Enc0 , Dec0 ) be a CPA-secure encryption scheme in which encryption uses k random coins (this is not essential, but makes the analysis easier), and let F be a pseudorandom function. Define SKE as follows: Gen(1k ): Compute K1 ← Gen0 (1k ), and then choose K2 ← {0, 1}k . Output the key K = hK1 , K2 i. EncK (m; r), where r ∈ {0, 1}k : Compute “random coins” r0 = FK2 (mkr). Then output the ciphertext c0 = Enc0K1 (m; r0 ). DecK (c0 ): Output m = Dec0K1 (c0 ). Theorem 6. If SKE0 is a CPA-secure private-key encryption scheme and F is a pseudorandom function, then the scheme described above is CRA-secure. Proof. Given an adversary A attacking the constructed scheme (in the sense of CRA-security), we construct an adversary A0 attacking SKE0 (in the sense of CPA-security). Our adversary A0 is defined as follows: 1. Run A. When A makes oracle query hm, ri to its oracle, A0 queries m to its own (standard) encryption oracle and returns the result to A. We assume without loss of generality that A never makes the same oracle query twice. 2. When A outputs two messages m0 , m1 , these same messages are output by A0 . The challenge ciphertext given to A0 is forwarded to A. 3. Oracle queries of A are handled exactly as before. 4. When A outputs a bit b0 , the same bit is output by A0 . It is not hard to see that the view of A in the above is computationally indistinguishable from its view when attacking the constructed scheme. Thus, the advantage of A0 is negligibly close to the advantage of A. Since SKE0 is CPAsecure by assumption, we conclude that the advantage of A in attacking the constructed scheme (in the sense of CRA-security) is negligible.
5
Achieving CCRA-Security
We now show that the standard “encrypt-then-MAC” transformation [3] from CPA-secure schemes to CCA-secure ones works in our setting also. Let (Mac, Vrfy) be a secure message authentication code, and let SKE0 = (Gen0 , Enc0 , Dec0 ) be a CRA-secure encryption scheme. Define SKE as follows: Gen(1k ): Compute K1 ← Gen0 (1k ), and then choose K2 ← {0, 1}k . Output the key K = hK1 , K2 i.
EncK (m; r): Compute c0 = Enc0K1 (m; r) and t = MacK2 (c0 ). Output the ciphertext hc0 , ti. DecK (hc0 , ti): If VrfyK2 (c0 , t) = 1 then output Dec0K1 (c0 ). Otherwise output ⊥. Theorem 7. If SKE0 is CRA-secure and (Mac, Vrfy) is a secure MAC with unique tags, then the scheme described above is CCRA-secure. Proof. Let A be an adversary attacking SKE in the sense of CCRA-security. Let query be the event that A submits a decryption query hc, ti to its decryption oracle such that DecK (c, t) 6=⊥ and hc, ti was not the result of a previous encryption query. Clearly, Pr [ b0 = b ] = Pr [ b0 = b ∧ query ] + Pr [ b0 = b ∧ query ] from which it follows that |Pr [ b0 = b ] − Pr[b0 = b | query]| ≤ Pr [ query ]. The following claims complete the proof. Claim. For all ppt adversaries A it holds that Pr [ query ] is negligible. We show that if there exists a ppt adversary A such that Pr [ query ] is not negligible, then there exists a ppt adversary B that can win the existential unforgeability experiment against MAC with non-negligible probability. Consider the adversary B that, given 1k and oracle access to MacK (·) and VrfyK (·), begins by generating an encryption key K1 ← Gen0 (1k ) and runs A(1k ) as follows, Given an encryption query e = hm, ri, adversary B computes c ← Enc0K1 (m; r) and queries its own Mac oracle with c, receiving t. Finally, it returns the ciphertext hc, ti to A. Given a decryption query d = hc, ti, adversary B queries its Vrfy oracle with c and t. If the oracle returns 1 then it computes and returns m ← Dec0K1 (c) to A; otherwise it returns ⊥. Adversary B stores all of A’s decryption queries. After polynomially-many queries, A outputs m0 , m1 . B samples b ← {0, 1}, computes c∗ ← Enc0K1 (mb ), and queries its oracle to receive t∗ ← Mac(K, c∗ ). It then runs A with the challenge ciphertext hc∗ , t∗ i, and answers its queries as before. After polynomially many queries, A outputs a bit b0 and halts. Let q(k) be the number of decryption queries made by A. If query has occurred by the end of the game (note that B can determine if this happens), then B outputs the appropriate query for which this first occurred. Notice that B succeeds if query occurs. Since A’s view is identical to its view when attacking SKE, the claim follows. Claim. For all ppt adversaries A, it holds that Pr[b0 = b | query] ≤ 1/2+negl(k).
We show that if there exists a ppt adversary A such that Pr[b0 = b | query] ≥ 1/2 + 1/poly(k), then there exists a ppt adversary B that can succeed in attacking SKE0 (in the sense of CRA-security) with non-negligible probability. Consider B1 that, given 1k , begins by choosing K2 ∈ {0, 1}k and runs A1 (1k ) as follows. Given an encryption query hm, ri, adversary B queries its oracle with hm, ri to obtain a ciphertext c It then computes t ← MacK2 (c), and returns the ciphertext hc, ti to A. It stores the tuple hc, t, mi in a table T . Given a decryption query d = hc, ti, adversary B looks up the pair hc, ti in its table and returns the corresponding plaintext m. If the pair hc, ti is not in T , then it returns ⊥. After polynomially many queries, A outputs messages m0 , m1 which B also outputs. Given a challenge ciphertext c∗ , adversary B computes t∗ ← MacK2 (c∗ ) and gives the challenge ciphertext hc∗ , t∗ i to A, answering its oracle queries as before. Eventually, A outputs a bit b0 which B outputs as well. It remains to analyze B’s success probability. First, notice that B can answer A’s encryption queries perfectly. Furthermore, if query does not occur, then the only valid decryption queries A makes are for ciphertexts that were the result of previous encryption queries. In this case (i.e., conditioned on query), B will also correctly answer all of A’s decryption queries (using its table). It follows then that conditioned on query, the view of A is identical to its view when attacking SKE. The claim follows.
References 1. B. Barak and S. Halevi. A model and architecture for pseudorandom generation and applications to /dev/random. ACM Conf. on Computer and Communications Security 2005. 2. M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A concrete security treatment of symmetric encryption. 38th Annual Symposium on Foundations of Computer Science (FOCS) 1997. 3. M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. Asiacrypt 2000. 4. M. Bellare and B. Yee. Forward-security in private-key cryptography. RSA — Cryptographers’ Track 2003. 5. C. Bosley and Y. Dodis. Does privacy require true randomness? Theory of Cryptography Conference 2007. 6. Y. Dodis, S.J. Ong, M. Prabhakaran, and A. Sahai. On the (im)possibility of cryptography with imperfect randomness. 45th Annual Symposium on Foundations of Computer Science (FOCS) 2004. 7. Y. Dodis and J. Spencer. On the (non)universality of the one-time pad. 43rd Annual Symposium on Foundations of Computer Science (FOCS) 2002.
8. K. Fu, S. Kamara, and T. Kohno. Key regression: Enabling efficient key distribution for secure distributed storage. NDSS 2006. 9. O. Goldreich, S. Goldwasser, and S. Micali. How to construct random functions. J. ACM 33(4):792–807, 1984. 10. S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences 28(2):270–299, 1984. 11. J. Katz and Y. Lindell. Introduction to Modern Cryptography. Chapman & Hall/CRC Press, 2007. 12. J. Katz and M. Yung. Characterization of security notions for probabilistic privatekey encryption. J. Cryptology 19(1):67–96, 2006. 13. J. McInnes and B. Pinkas. On the impossibility of private-key cryptography with weakly random keys. Advances in Cryptology — Crypto ’90. 14. C. Rackoff and D. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In Advances in Cryptology – Crypto ’91. 15. P. Rogaway. Nonce-based symmetric encryption. Fast Software Encryption (FSE) 2004.
A
Nonce-based Private-key Encryption
We offer a definition in the spirit of nonce-based security [15], but we do not require that ciphertexts be indistinguishable from random strings. (This extra requirement is irrelevant as far as the results of the present paper are concerned.) Definition 2 (Nonce-based CPA-security). Let SKE = (Gen, Enc, Dec) be a private-key encryption scheme where encryption uses k random coins and we treat these coins as a nonce. SKE is nonce-based CPA-secure if the advantage of any polynomial-time adversary A in the following experiment is negligible (in k): 1. First, a key K ← Gen(1k ) is generated. Set Nonces = {0, 1}k . 2. A is allowed to adaptively submit multiple queries of the form hm, ri, subject always to the restriction that r ∈ Nonces. In response to each such a query, A is given c = EncK (m; r) and r is removed from Nonces. 3. A outputs two equal-length messages m0 , m1 and a nonce r ∈ Nonces. A bit b is chosen at random, and a “challenge ciphertext” c = EncK (mb ; r) is computed and given to A. Also, r is removed from Nonces. 4. A may continue to interact with its oracle as before. Eventually, it outputs a bit b0 ; the experiment evaluates to 1 if b0 = b. We denote the above experiment by NB-CPAA,SKE (k), and define the advantage of A in the experiment as Pr[NB-CPAA,SKE (k) = 1] − 21 .
